This blog started as merely a means of describing who was behind certain spam campaigns and which illicit products they were selling illegally. Now it's more of an overall examination of how spam is merely one part of international organized crime.

Wednesday, October 29, 2008

Lots of spam suddenly showing up claiming to be on behalf of eNom.com, a well-known domain registrar.

Investigating these phishing attempts leads down a very dark hole indeed.

The eNom phishing sites are attempting to gather up domain information. For what purposes exactly is unsure, but I'm sure you could imagine: theft of a large number of domains, redirection of previously "good" domains to harmful content.

The contact information on these sites is all identical, and should be familiar to anyone who investigates this crap. Let's take one example domain, sys82.net:

And the rest are supporting several other domains featuring the enom phishing setup.

Note the diversity of the ip addresses associated with those domains: every single one of these is being hosted via a botnet, assumedly home computers infected with the Asprox infection. I had been reading up on several investigations into that exploit, and now it appears it's directly a part of my own spam investigations.

Many of the domains supported by those name servers are, of course, sites which promote, sell, and distribute child pornography. Fortunately, as I write this, all of these sites are not responding. (Good work on getting those shut down, whoever you are.)

A quick investigation of one of those sites leads to a payment processing site known as Avalonpay.com. A quick search on that domain turns up an interesting blog entry on matchent.com concerning a similar investigation. The registrant contact data for that domain includes the company name "Absolutee Corp. Ltd.", allegedly based in Hong Kong:

"Jaret [note: speaking on behalf of RBN] also says there's no mystery about the company's ownership. According to Jaret, an offshore company called First Connect Telecom Limited Inc. owns RBN, though the company's principals remain anonymous. The registration information for the company's website lists a company called Absolutee Corp. LTD as the owner of the domain name. "

The article also mentioned that the whois info for RBN was changed later. And it has now expired.

I'm a beautiful girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5

Subject: RE: Message 54

I'm a hot brunette girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5

Subject: RE: Message 30

I am an atractive blonde, and I'm searching for a man to chat with by email or by Skype, or even meet in reality!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5

Of course I never initiated any communication with anyone in Russia (thus: why would there be a "Re:" in the subject in the first place?) This same affiliate (idAff=5) is sending me, on average, five to ten of these per hour, and the wording makes it clear he has utterly no idea what he's doing. Nobody should be dumb enough to click on any of these messages, especially since they all arrived virtually simultaneously.

Ignoring all of that: who describes themselves this way? There's just no basis of reality in any of these messages. Also: nobody is dumb enough to assume they are the sole object of this "woman's" affection. Literally everyone I discuss spam with has received these messages, and continue to do so.

This affiliate was previously sending me non-stop VPXL spam (prior to the shutdown of SanCash / AffKing, of course.) I can tell simply because he's applying the same template and frequency to this "UADreams" spam run. He also mails on behalf of GlavMed / Spamit and is among the mailers sending four times as much "Canadian Pharmacy" spam to everyone on the planet.

I've blogged about UALadys in the past. They clearly have no problem paying mailers to send millions of messages illegally to anybody. This idiot has no idea who's in his lists, and he doesn't care. I could be a 98 year old woman or a five year old boy. He will still assume I am interested in meeting a Russian woman to date and / or marry. This is the typical intellect of the average mailer. Not only do they not segment their lists or clean them, they just flat-out have no idea whatsoever of who is in their lists. Yet they believe it's up to us to take care of that by "just deleting" the millions -- or billions, as we've seen recently -- of messages they clog the Internet with on a daily basis.

Needless to say: you should never join ANY dating site which uses unsolicited email to promote itself.

Tuesday, October 14, 2008

A quick note today about some recent news which I think we've all been expecting for some time now.

Shane Atkinson, his brother Lance, and several others are currently the subject of intense legal action against the by-know well known spam operation SanCash, aka GenBucks.

If you caught any of the news last year regarding this setup, you might remember the BBC4 report which connected several dots between Atkinson, GenBucks, a product called "Manster" and a company called Tulip Lab.

Well two very big announcements today confirm, and place in the public record, that this investigative work was definitely on the right track.

This story, posted mere minutes ago, outlines pending fines of $200,000 per person against each of Shane and Lance Atkinson (together the foundation of SanCash), Roland Smits, and also confirms that they ran both GenBucks and SanCash, to promote what are now confirmed to be bogus and / or dangerous products which were manufactured and distributed by Tulip Lab, most notably Express Herbal (called approximately a dozen names over the past two years.)

It gets better: The US Federal Trade Commission also has taken action against the abovementioned operators of GenBucks / SanCash, as well as Jody Smith, a resident of Texas, and four companies they operate. They further make mention of the widespread illegality of how they sent their messages (using an internationally-seeded botnet), and also mention AffKing, which is what SanCash used to be called.

Assets for all of the above entities have been frozen, effectively cutting off the profit source for any mailers who still insist on promoting these bogus, dangerous products.

The FTC press release puts a very fine point on the rampant falsehoods perpetrated on a daily (hell: hourly) basis by these criminals:

One product called "VPXL" was touted as an herbal male-enhancement pill. Advertised as "100% herbal and safe," it supposedly caused a permanent increase in the size of a user's penis. The agency alleged that not only did the pills not work, but they were neither "100% herbal" nor "safe," because they contained sildenafil – the active ingredient in Viagra. At the FTC's request, the pills were tested by the FDA. According to medical experts, men taking nitrate-containing drugs – which are commonly prescribed to treat diabetes, high blood pressure, high cholesterol, or heart disease – can experience an unsafe drop in their blood pressure when they also take sildenafil.

And more:

The FTC also alleges that the defendants made false claims about the security of consumers' credit card information and the other data they were required to provide to buy goods. In operating the online pharmacy, which was called "Target Pharmacy" and later "Canadian Healthcare," the defendants' Web site assured potential consumers that "TARGET PHARMACY treats your personal information (including credit card data) with the highest level of security," according to papers filed with the court. The Web site went on to describe its encryption process, which supposedly involved "Secure Socket Layer (SSL) technology." FTC investigators, however, found no indication that the Web sites were encrypted using SSL technology.

The FTC also challenged claims made for a weight-loss supplement pill purportedly containing Hoodia gordonii, a cactus-like plant found in southern Africa that supposedly could cause users to lose up to six pounds a week. The FTC charged that the claims were false and violated federal law.

Really: just read the whole thing. It'll bring a huge smile to your face. If you have an email address, you've most likely (98% chance) received spam for these "products", and anybody with half a brain already knows most of what was just quoted above.

This is a good day, and makes this among the worst years ever for illegal spammers, as well as their sponsors and supply chain operators.

I fully expect to see lots of nonchalant postings on any of the remaining underground spam forums (whatever happened to Bulkerforum.biz anyway?) They can all claim that we should have all "just deleted" all of the billions of inbound messages that these scumbags continually pumped into everybody's inboxes with impugnity. They're wrong. [How does one "just delete" 3000 of these per day without throwing the baby out with the bathwater? They've essentially ruined email as a usable form of communication.]

My congratulations and gratitude go out to members of New Zealand law enforcement who worked so diligently over the past 9 months to fully investigate these cretins. Also: kudos to the author of spaminmyinbox.com who did such great investigative work on his own, as well as Simon Cox from the BBC.

SpamIsLame

About Me

I am an independent fighter of those who choose to spam illegally, promoting either fake or illegal products to an unsuspecting public. Like most people, I despise illegal spammers and I will continue to spread knowledge on how to impact their ability to profit from spamming. There is a difference between "marketing" and spamming. Those who claim otherwise are idiots.